ASP.NET MVC Security Model / Database - What are my options?

Question

We have several projects (ASP.NET MVC) that will require a Role / User / Permissions security model. We want to keep this data in tables in our database. How to do your recommend we go about implementing this security model with our ASP.NET MVC projects? Use custom authroization attributes that will determine if a user is authorized by interacting with data model in our database?

Are there third party / open source options available?

Answer 1

The way i approached this is to reflect on controller actions, i still use the normal asp.net membership provider, but then have a actions table that stores all my controller/actions.

Secondly i created a base controller and added the authorize attribute on the base controller, i then override the authorization "event" and did a check there if a user has access to that specific action, i did the same with onactionexecuting.

Answer 2

I use Rhino Security for a complex MVC site and love it.

http://ayende.com/Blog/archive/2008/01/22/Rhino-Security-Overview-Part-I.aspx

Security calls end up looking like this:

     permissionBuilderService
                .Allow("/[Controller]", 1)
                .For("GAAdmins", 1)
                .OnEverything()
                .DefaultLevel()
                .Save();

authorizationRepository.AssociateUserWith(user, "GAAdmins"); 


if (authService.IsAllowed(user, "/[Controller]/[Action]"))
 ...;

Answer 3

If you are willing to use Entity Framework, there's an EF Membership provider for MVC. Here http://efmembership.codeplex.com/